This guidance defines cyber security, outlines your charity's legal obligations, and explains how to manage the risks of cyber attacks.
There are also additional resources available, including a cyber security assessment and checklist, as well as templates for your charity's use.
Cyber security is protecting your charity's electronic information from unauthorised access.
Cyber security applies to all electronic information, but if your charity handles personal or sensitive information, you must be particularly careful about how it is protected.
Some charities, due to a lack of resources or time, may not have considered cyber security. This is understandable, but it creates vulnerability.
Charities should make sure that staff and volunteers have a basic understanding of cyber security issues.
Personal and sensitive information
Personal information and sensitive information are defined in the Privacy Act 1988 (Cth) (the Privacy Act).
Personal information is information or an opinion about an identified person (or a person that can reasonably be identified), regardless of whether the information or opinion is true or recorded in a material form.
Sensitive information is a subset of personal information, and may include, for example, a person’s religious or philosophical beliefs, sexual orientation or health information.
For more on what constitutes personal information and sensitive information, see the key concepts in the Australian Privacy Principles guidelines.
The Privacy Act has requirements for the way personal information and sensitive information are collected and stored. The Office of the Australian Information Commissioner's (OAIC) Australian Privacy Principles guidelines has information about these requirements.
We also have a guide on managing people's information and data, which provides information for charities about collecting, storing and using the information and data they hold about people in a responsible way.
At a general level, all charities registered with the ACNC must continue to be not-for-profit and pursue charitable purposes. They must also keep financial records, and report information annually – including financial information.
Most charities must also comply with the ACNC Governance Standards and, for charities operating overseas, the External Conduct Standards.
Depending on the location and nature of your charity’s operations, there may be other state, federal or overseas legislation with which your charity must comply. This means your charity may have legal obligations for the way it collects and stores information. This will depend on the location and nature of your charity’s operations.
You should consider getting legal advice to fully understand what legal obligations there may be for your charity.
Risks and possible consequences
It is not only large companies and government agencies that can fall victim to cyber attacks. Charities – even smaller ones – can be targeted too. And, often having weaker defences, smaller charities can be especially vulnerable.
Commons cyber security risks include:
- unauthorised access to a device, network or system
- viruses or other malicious software that can collect, change or delete information and spread throughout a network
- fake emails or websites set up to trick someone into revealing personal or sensitive information.
The consequences of an incident can be significant. They may include:
- loss of crucial information
- disruption to services
- unauthorised changes to your charity’s information and systems
- expensive costs to restore data and services
- costs of notification and investigation (including legal costs)
- costs arising from the attack itself (for example, extortion or ransomware)
- regulatory action and penalties
- loss of trust and reputation.
When a charity has inadequate security for its computer systems, it is more vulnerable to attacks and less likely to be able to detect them. This can then make responding to attacks more difficult and can increase the time and cost of recovery.
Protecting your charity from cyber attacks
Although everyone in a charity has an important part to play in protecting against cyber attacks, the ultimate responsibility is with the charity’s Responsible People.
The Responsible People must consider the circumstances of their charity and make sure that they can identify and manage relevant cyber security risks.
How charities manage cyber security risks will vary significantly, but there are four steps that every charity can take to help protect against cyber incidents:
- Identify and assess the risks.
- Prevent incidents and mitigate risks.
- Engage people in the charity, and even third parties, to help manage risks.
- Take action and respond effectively when concerns, suspicion or complaints arise.
Most of these actions are simple and most charities will be able to do them. But if you think your charity doesn’t have anyone available with enough knowledge and experience, you may need to seek outside help.
The first step is to identify the data, information and knowledge your charity has that could be of value to a potential attacker.
Keep a list of these as ‘critical assets’ in a register, and prioritise their importance. Doing this will help you to focus attention and limited resources on protecting the highest priorities.
- identify the information and assets that are vital for your charity to run smoothly
- find out who is collecting personal and sensitive information in your charity, how they collect it, and where it is stored.
After you have identified your charity’s ‘critical assets’, do a risk assessment to help you think about what could go wrong with them. This is a simple process that:
- identifies risks
- considers potential incidents
- analyses the likelihood and effect of an incident
- explores ways to manage risks.
You should record the findings of your charity’s risk assessment and review it regularly to make sure it remains relevant and up to date.
There are many practical things your charity can do to mitigate risks and prevent incidents.
- Limit access: Only allow staff and volunteers to access information they need for their roles.
- Protect devices: Use anti-virus software to protect all computers, tablets and smart phones. Modern anti-virus software can find, contain and remove viruses. Users should scan their systems regularly with the software and keep the software updated.
- Protect networks: Use a firewall for your charity’s network. This is software that can prevent unauthorised access to a network, and unauthorised use of the network by your charity’s staff and volunteers.
- Use only authorised resources: Only allow approved applications (apps) on your charity’s computer and phones, and block access to inappropriate websites and downloads.
- Use passwords effectively:
- Make sure your charity has unique passwords to protect every device and system.
- If your charity provides devices to staff and volunteers, all the default passwords should be changed before they are handed out.
- A strong password is made up of at least eight characters, uses both capital and lowercase letters and numbers, and contains at least one special character. Passwords should be changed at least every three months.
- Use additional user verification for access to critical information such as financial or health information. For example, a one-time security code sent to the user’s email account or phone in addition to their regular password.
- Make back-ups: Make sure your charity’s important information is backed up regularly. Charities increasingly use the ‘cloud’ (a shared computer and storage resource service that is accessed through the internet) to protect their information, rather than a physical device. This is a way to securely store back-ups outside of the charity’s physical location.
Your charity should have a plan for responding to cyber security issues and data breaches. We have a template plan for responding to data breaches below that your charity can use.
Everyone in the charity should be familiar with the plan and have access to it if they need it.
Your charity could use the following steps to manage, respond and address a data breach or other cyber security issue:
- Identify and contain: Understand what is happening and, if possible, take steps to prevent other systems, devices or data from being affected.
- Investigate: Find out the nature of the issue, which devices and systems are affected, and what the risks might be.
- Assess the risks and respond: Work out what harm has been done, the effects of the harm, and what could go wrong from here.
- Act and notify: Decide on the priorities for protecting individuals and organisations from further harm. In the case of a data breach, follow the OAIC notification guidelines to inform the regulator and other parties if required.
- Review: Look over your charity’s policies, procedures and systems to identify any changes that would reduce the likelihood and consequences of similar issues occurring again.
Case study: Learning from experience
A charity that provides support for elderly people in a regional town keeps personal and sensitive information about its clients on computers. It relies on staff and volunteers to enter and update this information.
The charity always thought it was doing enough to protect the information of its clients – it locked away physical files and had strong passwords on its computers and devices – but it had no way to stop someone with access to the charity’s computers from downloading users’ information.
The charity was shocked when contacted by a journalist from a local paper who said that someone had found a USB stick in a café that had the personal details of the charity’s clients on it. The paper published a story about the incident and the charity spent several days responding to angry enquiries from its users and their families.
Fortunately, the charity had a good reputation in the community and this helped it recover. But its Responsible People quickly realised that better measures were needed to make sure the charity was protected against cyber security threats and able to gain the trust of the community again.
Despite not being cyber security experts, the charity’s Responsible People found lots of useful information online about cyber security threats, including suggestions of the sorts of things a charity could do to protect itself. In response to the incident, the charity:
- approved a new policy which restricted access to certain files on the charity’s computers
- organised training sessions for staff and volunteers about the data and information protection
- agreed to review policies annually and organised spot checks to ensure staff and volunteers were complying with the rules
- decided to set aside some funds for ongoing cyber security measures.
The charity’s Responsible People also agreed on a new plan for handling any future incidents. This included the need to report certain serious data breaches to the Office of the Australian Information Commissioner (OAIC).
Cyber security resources
After reading this guide, you can check your understanding by taking our cyber security assessment. We also have a checklist that your charity can use to ensure it has policies and procedures in place to manage cyber security risks.
You do not need to submit the assessment or checklist to the ACNC – they are optional resources designed to help you measure your understanding of cyber security, and to identify areas for further training or improvement.
We also have a critical asset register template and a template plan for responding to a data breach that your charity can use as a guide.
More information and resources
- Managing people’s information and data, ACNC
- Damn good advice on cyber safety and fraud prevention, Our Community
- Guide to conducting privacy impact assessments, OAIC
- Notifiable data breaches, OAIC
- Australian Cyber Security Centre, Australian Signals Directorate
- Creating a cybersecurity policy, Business.gov.au
- Cyber security: Small charity guide, National Cyber Security Centre (UK)
- Protecting charities from fraud and cyber crime, Charity Commission of England and Wales (UK)
- Cyber security, Digital Transformation Hub